diff --git a/src/lib/server/utils/hmac.ts b/src/lib/server/utils/hmac.ts index d1cb615..a656c47 100644 --- a/src/lib/server/utils/hmac.ts +++ b/src/lib/server/utils/hmac.ts @@ -1,8 +1,16 @@ import { createHmac, timingSafeEqual } from "node:crypto"; export function verifySignature(secret: string, body: string, signature: string): boolean { - const expected = createHmac("sha256", secret).update(body).digest("hex"); + // Try HMAC verification first (GitHub-style: sha256=) const cleaned = signature.replace(/^sha256=/, ""); - if (cleaned.length !== expected.length) return false; - return timingSafeEqual(Buffer.from(cleaned, "hex"), Buffer.from(expected, "hex")); + if (/^[0-9a-f]{64}$/i.test(cleaned)) { + const expected = createHmac("sha256", secret).update(body).digest("hex"); + return timingSafeEqual(Buffer.from(cleaned, "hex"), Buffer.from(expected, "hex")); + } + + // Fall back to direct token comparison (GitLab-style: X-Gitlab-Token) + const sigBuf = Buffer.from(signature); + const secretBuf = Buffer.from(secret); + if (sigBuf.length !== secretBuf.length) return false; + return timingSafeEqual(sigBuf, secretBuf); }